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REMARKS 

Claims 1-9 are pending in the application and stand rejected. 

Rejection under 35 U.S.C §102 

Claims 1 and 9 stand rejected under 35 U.S.C. 102(e) as being anticipated by U.S. Patent 
No. 6,591,306 to Redlich. In the previously filed Response, Applicant explained that Redlich 
does not in fact disclose all claimed limitations. In the present Action, the Examiner answers that 
Redlich does in fact teach "each PDU having a message-type field by which the security entity in 
the intermediate system can determine whether a PDU it receives encapsulates a PDU to be 
extracted and sent on" because the Examiner reads Redlich's message-type field as being the 
PDU's port number that is used to determine where a PDU should be routed. The Examiner also 
maintains that Redlich does contemplate multiple tunnels being available and cites col. 24, 11. 53- 
57 and col. 25,11. 15-18. 

Applicant once again respectfully traverses the Examiner's rejection in view of this art. 
However, in the interest of making the scope of the claimed invention clearer and thus assist the 
Examiner in identifying the differences between the claimed invention and the art, Applicant has 
amended claims 1 and 9, and further canceled claims 7-8 without prejudice. The claimed 
invention is essentially directed to a local system setting up a secure communications session 
with a remote system via an access-controlling intermediate system. To do so, the local system 
sets up a first security session with the intermediate system involving the exchange of protocol 
data units (PDUs) that are referred to in the claims as "first PDUs" and then sets up a second 
security session with the remote system, the second security session being nested in the first 
security session - that is, the PDUs of the second security session ("second PDUs") being 
encapsulated as payload in the first PDUs when passing from the local system to the intermediate 
system. Each such first PDU comprises, in addition to payload data, addressing information and 
a message-type indicator indicating whether the payload of the first PDU is for an application of 
the intermediate system (message type APPLICATION), or whether the payload is to be 
transferred on to the remote system (message type TUNNEL). 

As the Examiner has noted, Redlich uses addressing information of the encapsulated IP 
packets to enable a tunnel endpoint system (such as the tunnel server shown in Figure 1 1) to 
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determine where the IP packets are to be routed, and more specifically uses port numbers for this 
purpose as disclosed by the discussion of the "IP masquerading" technique in connection with 
the fourth embodiment disclosed. However, a port number is generically part of the addressing 
information of an IP packet (the endpoints of an IP connection are defined by an IP address and a 
port number as is well known to persons skilled in the art). Such use of the port numbers of the 
encapsulated IP packets to enable the tunnel server to determine whether or not to send on a 
packet is a completely different method than that used by the inventions defined by amended 
claims 1 and 9. In Applicant's claims, the decision whether or not the intermediate system (the 
tunnel server of Redlich) should send on an encapsulated "second" PDU (the IP packets of 
Redlich) is based on a message-type indicator that is part of the encapsulating "first" PDU and is 
distinct from the addressing information and payload of that PDU. The encapsulating PDU of 
Redlich is a PPTP packet; there is no disclosure or suggestion anywhere in Redlich that this 
packet has, in addition to the addressing information and payload of the PPTP packet (the PPTP 
packet payload is, of course, the encapsulated IP packet), a message-type indicator that indicates 
whether it encapsulates a second PDU that is to be extracted and sent on. A clear advantage of 
the claimed method is that the intermediate system does not need to look into the encapsulated 
packet in order to determine whether that packet is to be sent on or used locally. 

Applicant further wishes to note that the Examiner appears to have misunderstood the 
earlier argument regarding the single security session set up by Redlich. Again, Applicant's point 
is that the guest station of Redlich only sets up one security session, this being with the tunnel 
server, and does not set up a security session with the target system , as this is unnecessary 
because the tunnel server itself exists in a trusted environment (see passage quoted above). The 
Examiner recites to disclosure in Redlich that additional secure tunnels may be created to other 
trusted routers on the Internet. This has no bearing on Applicant's argument that, regardless, 
Redlich does not set up a security session with the target system . Although the tunnels between 
the access router and outside router are secure tunnel, they are not set up by the guest station but 
by the access router to ensure that guest packets cannot leak out behind the host network's 
firewall. 

In view of the above, Applicant respectfully submits that claims 1 and 9 are in fact 
patentable over Redlich. 
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Rejection under 35 U.S.C §103 

Claim 2 stands rejected under 35 U.S.C. 103(a) as being unpatentable over Redlich in 
view of U.S. Pat. No. 5,898,784 to Kirby et al., claims 3-5 as being unpatentable over Redlich in 
view of U.S. Pat. No. 6,081,306 to Subramaniam, and claim 6 as being unpatentable over 
Redlich in view of U.S. Pat. No. 6,574,224 to Brueckheimer. 

Claims 7 and 8 have been canceled without prejudice. 

Claims 2-6 depend from claim 1. "If an independent claim is nonobvious under 35 U.S.C. 
103, then any claim depending therefrom is nonobvious." In re Fine, 837 F.2d 1071, 5 USPQ2d 
1596 (Fed. Cir. 1988). Therefore, in light of the above discussion of claim 1, Applicant submits 
that claims 2-6 are also allowable. 

In view of the above, Applicant submits that the application is now in condition for 
allowance and respectfully urges the Examiner to pass this case to issue. 

The Commissioner is authorized to charge any additional fees which may be required or 
credit overpayment to deposit account no. 08-2025. In particular, if this response is not timely 
filed, the Commissioner is authorized to treat this response as including a petition to extend the 
time period pursuant to 37 CFR 1.136(a) requesting an extension of time of the number of 
months necessary to make this response timely filed and the petition fee due in connection 
therewith may be charged to deposit account no. 08-2025. 
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